-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker service create doesn't allow --privileged flag #24862
Comments
I think there is a whole set of issues for these features on I think the plan was to discuss what should be added, once 1.12 is released. |
Correct, I was planning to create a tracking issue for that |
I could really use this for 1.12 as well. If this is an area I could jump in and issue a PR, I'm happy to get started on it. |
We need to decide first; services are not "containers", so not all options can be / should be copied to service create |
@thaJeztah Another consideration - I have different needs between a replicated service and a global one. If a jobs service type is introduced, which has been discussed, those needs might be different too. The global one I may expect to have more flags/options around, just given the nature of "other things" I might be doing with them (monitoring, networking, running containers, etc.). I suppose I could have a global service that mounts the docker socket that then runs a privileged container on each node, but that seems messy (now my the tasks in my global service are managing the lifecycle of a container on each engine separately). Hopefully that helps with some of that discussion. |
If services != containers, why do you pass an image name to the create command? Seems like you would rather pass something like a manifest (maybe exactly like the docker-compose.yml file ?). For this issue, if it is a PR, I'll phrase it in user story format: As a user of swarm, I want to create services and containers which run under privileged mode. How do I do this? I'm happy to help any way that I can! |
@frellus You're right - stacks/DABs are really what I need but they're also really early and don't have a service type option associated with them yet. There's also some other little nits there I need to write a more specific issue around in compose. Ultimately it's all still a bit of a chicken and egg problem - in one I get privileged, in the other I get service types. :) It'll all shake out, for now just reporting my uses to help provide as much data as I can! 😄 |
I am very interested in this, because as far as I know the Oracle DB cannot run in a container without either the Given that they are both not supported yet in API 1.24 for services AFAICS, it would be impossible to replace a Docker Swarm (standalone) by Docker 1.12 Swarm to run such services. Edit: Oracle just published Docker files |
Drive-by observation: you should do |
I'd really like to see it implemented soon - there are more solutions that require |
If I may add ... |
Just FYI, linking the PR for supporting "device" to this issue: Even though there would be |
+1
|
Missing --cap-add to use swarm mode in production, my management push me to move towards kubernetes if this option is not added soon. Do you have some plan and agenda for adding this feature please? |
+1
|
Working on kind of a workaround. It will run your privileged app in a secondary container by mounting /var/run/docker.sock in your service and proxying tcp connections back to the service container with socat and unix sockets. Still needs some work though. |
Usage: $ make test-integration-cli-parallel parallel(1) needs to be installed. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
I'd also like to see the I'm using signal traps, socat, and the docker socket to pair swarm mode service containers with a local privileged mode container. It seems to work well so far! |
Just another use case, I want to run keepalived with vrrp on a swarm and it needs net=host and --cap-add=NET_ADMIN, so cap-add would be great. |
Pleeeeaaaaase add this feature in :( |
Pleeeeaaaaase don't send useless messages here. It just slowdown the process as lot of people get notified and that time is away from actual implementation. My plan is to get #38380 released as part of 19.03 and then actual Swarm side changes on version which comes after that (19.06 I guess). Anyone who want to help plz test that and tell comments on PR so then hopefully we can stay on that schedule. |
This issue is open since 2016 is there a chance that this gets added to Docker in the next years.... ? This is a must have feature, for running Docker in Docker on a swarm. Please Docker team. Sorry but this is very frustrating for me. I can't switch to a HA setup because of this :( |
#39173 was merged so this feature will ship as part of Docker 19.06 / 19.09 (not sure actual version yet). Please, look my question about CLI side implementation on #25885 (comment) |
FYI #25885 (comment) |
Hi If lets say node1 failes then i can move the usb-dongle to node2 and the service is started there. If you are interested in the cron script then look here: |
I am trying to run If not, it seems my container must have |
Note on Docker 20.10.x you can use To allow iptables comnand inside of container you need to use @thaJeztah I think that we can actually close this issue? |
@olljanat the problem in my case is different. i already have |
@kaysond on that case plz create new issue with all asked details. |
@beornf a workaround that I was able to use is It similarly runs a process in the specified namespace, it just doesn't do all of the remounting that |
Could you provide a sample compose yaml demonstrating this? |
It's just
|
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Ubuntu 14.04 VM under KVM running Docker enginer 1.12 RC4
Steps to reproduce the issue:
Describe the results you received:
I can run "docker run --privileged" to allow an NFS mount from within my container, however there is no way to pass this --privileged flag to "docker service" and if I do not pass the --privileged flag, the contain would error internally on the mount like:
Describe the results you expected:
I should be able to have my container mount an NFS server from within it. I do not want to do this externally or via a docker volume, for example, I am trying to drive a huge number of parallel containers running NFS mounts and I/O individually.
Additional information you deem important (e.g. issue happens only occasionally):
The text was updated successfully, but these errors were encountered: